mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-01 02:46:16 -05:00
dde3430da8
* terraform: support AWS marketplace images * terraform-provider: support AWS marketplace images * docs: add instructions on AWS marketplace images * ci: adapt marketplace image test for AWS * Update internal/config/config.go Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com> * docs: update config * Update docs/docs/getting-started/marketplaces.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * docs: update license information * docs: use CSP tabs for marketplace overview * Update docs/docs/getting-started/marketplaces.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/getting-started/marketplaces.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/getting-started/marketplaces.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> --------- Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com> Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
207 lines
6.3 KiB
Go
207 lines
6.3 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
/*
|
|
Package imagefetcher provides helping wrappers around a versionsapi fetcher.
|
|
|
|
It also enables local image overrides and download of raw images.
|
|
*/
|
|
package imagefetcher
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io/fs"
|
|
"regexp"
|
|
"strings"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/api/fetcher"
|
|
"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
|
|
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
|
"github.com/edgelesssys/constellation/v2/internal/mpimage"
|
|
"github.com/edgelesssys/constellation/v2/internal/semver"
|
|
"github.com/spf13/afero"
|
|
)
|
|
|
|
// Fetcher fetches image references using a lookup table.
|
|
type Fetcher struct {
|
|
fetcher versionsAPIImageInfoFetcher
|
|
fs *afero.Afero
|
|
}
|
|
|
|
// New returns a new image fetcher.
|
|
func New() *Fetcher {
|
|
return &Fetcher{
|
|
fetcher: versionsapi.NewFetcher(),
|
|
fs: &afero.Afero{Fs: afero.NewOsFs()},
|
|
}
|
|
}
|
|
|
|
// FetchReference fetches the image reference for a given image version uid, CSP and image variant.
|
|
func (f *Fetcher) FetchReference(ctx context.Context,
|
|
provider cloudprovider.Provider, attestationVariant variant.Variant,
|
|
image, region string, useMarketplaceImage bool,
|
|
) (string, error) {
|
|
ver, err := versionsapi.NewVersionFromShortPath(image, versionsapi.VersionKindImage)
|
|
if err != nil {
|
|
return "", fmt.Errorf("parsing config image short path: %w", err)
|
|
}
|
|
|
|
imgInfoReq := versionsapi.ImageInfo{
|
|
Ref: ver.Ref(),
|
|
Stream: ver.Stream(),
|
|
Version: ver.Version(),
|
|
}
|
|
|
|
url, err := imgInfoReq.URL()
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
imgInfo, err := getFromFile(f.fs, imgInfoReq)
|
|
if err != nil && errors.Is(err, fs.ErrNotExist) {
|
|
imgInfo, err = f.fetcher.FetchImageInfo(ctx, imgInfoReq)
|
|
}
|
|
|
|
var notFoundErr *fetcher.NotFoundError
|
|
switch {
|
|
case errors.As(err, ¬FoundErr):
|
|
overridePath := imageInfoFilename(imgInfoReq)
|
|
return "", fmt.Errorf("image info file not found locally at %q or remotely at %s", overridePath, url)
|
|
case err != nil:
|
|
return "", err
|
|
}
|
|
|
|
if err := imgInfo.Validate(); err != nil {
|
|
return "", fmt.Errorf("validating image info file: %w", err)
|
|
}
|
|
|
|
if useMarketplaceImage {
|
|
return buildMarketplaceImage(marketplaceImagePayload{
|
|
ver: ver,
|
|
provider: provider,
|
|
attestationVariant: attestationVariant,
|
|
imgInfo: imgInfo,
|
|
filters: filters(provider, region),
|
|
})
|
|
}
|
|
|
|
return getReferenceFromImageInfo(provider, attestationVariant.String(), imgInfo, filters(provider, region)...)
|
|
}
|
|
|
|
// marketplaceImagePayload is a helper struct to pass around the required information to build a marketplace image URI.
|
|
type marketplaceImagePayload struct {
|
|
ver versionsapi.Version
|
|
provider cloudprovider.Provider
|
|
attestationVariant variant.Variant
|
|
imgInfo versionsapi.ImageInfo
|
|
filters []filter
|
|
}
|
|
|
|
// buildMarketplaceImage returns a marketplace image URI for the given CSP and version.
|
|
func buildMarketplaceImage(payload marketplaceImagePayload) (string, error) {
|
|
sv, err := semver.New(payload.ver.Version())
|
|
if err != nil {
|
|
return "", fmt.Errorf("parsing image version: %w", err)
|
|
}
|
|
|
|
if sv.Prerelease() != "" {
|
|
return "", fmt.Errorf("marketplace images are not supported for prerelease versions")
|
|
}
|
|
|
|
switch payload.provider {
|
|
case cloudprovider.Azure:
|
|
// For Azure, multiple fields of information are required to use marketplace images,
|
|
// so we pack them in a custom URI.
|
|
return mpimage.NewAzureMarketplaceImage(sv).URI(), nil
|
|
case cloudprovider.GCP:
|
|
// For GCP, we just need to replace the GCP project name (constellation-images) to the public project that
|
|
// hosts the marketplace images (mpi-edgeless-systems-public).
|
|
imageRef, err := getReferenceFromImageInfo(payload.provider, payload.attestationVariant.String(), payload.imgInfo, payload.filters...)
|
|
if err != nil {
|
|
return "", fmt.Errorf("getting image reference: %w", err)
|
|
}
|
|
return strings.Replace(imageRef, "constellation-images", "mpi-edgeless-systems-public", 1), nil
|
|
case cloudprovider.AWS:
|
|
// For AWS, we use the AMI alias, which just needs the version and infers the rest transparently.
|
|
return fmt.Sprintf("resolve:ssm:/aws/service/marketplace/prod-77ylkenlkgufs/%s", payload.imgInfo.Version), nil
|
|
default:
|
|
return "", fmt.Errorf("marketplace images are not supported for csp %s", payload.provider.String())
|
|
}
|
|
}
|
|
|
|
func filters(provider cloudprovider.Provider, region string) []filter {
|
|
var filters []filter
|
|
switch provider {
|
|
case cloudprovider.AWS:
|
|
filters = append(filters, func(i versionsapi.ImageInfoEntry) bool {
|
|
return i.Region == region
|
|
})
|
|
}
|
|
return filters
|
|
}
|
|
|
|
func getFromFile(fs *afero.Afero, imgInfo versionsapi.ImageInfo) (versionsapi.ImageInfo, error) {
|
|
fileName := imageInfoFilename(imgInfo)
|
|
|
|
raw, err := fs.ReadFile(fileName)
|
|
if err != nil {
|
|
return versionsapi.ImageInfo{}, err
|
|
}
|
|
|
|
var newInfo versionsapi.ImageInfo
|
|
if err := json.Unmarshal(raw, &newInfo); err != nil {
|
|
return versionsapi.ImageInfo{}, fmt.Errorf("decoding image info file: %w", err)
|
|
}
|
|
|
|
return newInfo, nil
|
|
}
|
|
|
|
var filenameReplaceRegexp = regexp.MustCompile(`([^a-zA-Z0-9.-])`)
|
|
|
|
func imageInfoFilename(imgInfo versionsapi.ImageInfo) string {
|
|
path := imgInfo.JSONPath()
|
|
return filenameReplaceRegexp.ReplaceAllString(path, "_")
|
|
}
|
|
|
|
// getReferenceFromImageInfo returns the image reference for a given CSP and image variant.
|
|
func getReferenceFromImageInfo(provider cloudprovider.Provider,
|
|
attestationVariant string, imgInfo versionsapi.ImageInfo,
|
|
filt ...filter,
|
|
) (string, error) {
|
|
var correctVariant versionsapi.ImageInfoEntry
|
|
var found bool
|
|
variantLoop:
|
|
for _, variant := range imgInfo.List {
|
|
gotCSP := cloudprovider.FromString(variant.CSP)
|
|
if gotCSP != provider || variant.AttestationVariant != attestationVariant {
|
|
continue
|
|
}
|
|
for _, f := range filt {
|
|
if !f(variant) {
|
|
continue variantLoop
|
|
}
|
|
}
|
|
correctVariant = variant
|
|
found = true
|
|
break
|
|
}
|
|
if !found {
|
|
return "", fmt.Errorf("image not available in image info for CSP %q, variant %q and other filters", provider.String(), attestationVariant)
|
|
}
|
|
|
|
return correctVariant.Reference, nil
|
|
}
|
|
|
|
type versionsAPIImageInfoFetcher interface {
|
|
FetchImageInfo(ctx context.Context, imageInfo versionsapi.ImageInfo) (versionsapi.ImageInfo, error)
|
|
}
|
|
|
|
type filter func(versionsapi.ImageInfoEntry) bool
|